
#-----------------------------------------------------------------------
# CHANGES
#-----------------------------------------------------------------------
#
# 2001-05-21  Jean-Sebastien Morisset <jsmoriss@mvlan.net>
#             Added support for accept-{int}-ftppasv-ports option.
# 2000-10-14  Jean-Sebastien Morisset <jsmoriss@jsm-mv.dyndns.org>
#             Initial module written for v5.0.
#
#-----------------------------------------------------------------------
# MODULE CONFIGURATION
#-----------------------------------------------------------------------
#
#m# 123
#a# accept
#i# 
#n# ftppasv
#t# clients
#
#   |--------------------------------------------------------------------|
#d# Support passive mode FTP. Leave this variable empty unless you really
#d# need it. Passive mode allows connecting to accept-{int}-ftppasv-ports
#d# from any other high port.
#   |--------------------------------------------------------------------|
#
#-----------------------------------------------------------------------
# START OF MODULE CODE
#-----------------------------------------------------------------------

#--------------------------------------------------------------------
# FTP Passive (All High Ports)
#--------------------------------------------------------------------
# Passive mode FTP gives the client access to ALL of your high ports.
# The rules are placed last to give precedence to any DENYs on high
# ports.
#--------------------------------------------------------------------

for host in `Option_Value accept $INTOPT ftppasv clients`
do
	echo "Accept $INTOPT $IPADDR FTP <- $host Pasv $LOG_MSG"

	ipchains -A $INCHAIN  -j ACCEPT -p tcp      -s $host $UNPRIVPORTS -d $IPADDR ftp $LOG
	ipchains -A $OUTCHAIN -j ACCEPT -p tcp ! -y -s $IPADDR ftp -d $host $UNPRIVPORTS $LOG

	for port in `Option_Value accept $INTOPT ftppasv ports`
	do
		ipchains -A $INCHAIN  -j ACCEPT -p tcp      -s $host $UNPRIVPORTS -d $IPADDR $port $LOG
		ipchains -A $OUTCHAIN -j ACCEPT -p tcp ! -y -s $IPADDR $port -d $host $UNPRIVPORTS $LOG
	done
done
unset host

